Does lichess API support OPTIONS ?

Hi,

I've written a few integrations with lichess that run serverless (they run in users browser). Recently they have stopped working and I think it is because the lichess server is not providing the 'AllowsOrigin' headers in the OPTIONS call. Is this a conscious change?

e.g. Chrome will first send this to GET /account/me (captured from dev tools curl as bash):

curl 'lichess.org/account/me' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: GET' -H 'Origin: preview.c9users.io' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: authorization' --compressed

To which lichess responds 404 - Resource not found

The GET works fine with the Bearer token. But Chrome refuses to do the GET because the OPTIONS preflight step fails.

@tailuge

Hey buddy, please join the devs discord channel: discord.gg/pw6Efvk

We'll sort it out

You fixed it for api/account great!

Same is true on the robot event endpoints:

> OPTIONS /api/stream/event HTTP/1.1
> Host: lichess.org
> Access-Control-Request-Method: GET
> Origin: preview.c9users.io
> Accept-Encoding: gzip, deflate, br
> Accept: */*
> Connection: keep-alive
> Access-Control-Request-Headers: authorization
>
< HTTP/1.1 404 Not Found
* Server nginx is not blacklisted
< Server: nginx
< Date: Sat, 28 Apr 2018 08:23:56 GMT
< Content-Type: text/plain; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

I'm almost able to run a bot in a browser now - final hurdle(?) is that the axios library reasonably insist on sending Content-Type header on POST requests. The OPTIONS is not allowing this header:

curl 'listage.ovh/api/challenge/1H3TqbgK/accept' -X OPTIONS -H 'Access-Control-Request-Method: POST' -H 'Origin: preview.c9users.io' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept: */*' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: authorization,content-type' --verbose

Failed to load lichess.org/api/challenge/cQx9HmzM/accept: Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response.

@tailuge Added. Definitely let me know if any other headers are missing.

Thanks! Working with you guys has been so much fun.

imgur.com/a/pRmWznD

Screenshot of a javascript BOT running serverless in a browser. I'll push the code to github.com/tailuge/bot-o-tron

Nice.

You may want to add a button linking to the user TV page, so they can go watch their games.

Do any of the embed scripts support a single players tv?

like these:

lichess.org/developers